by Paul Lanois, SSCP, CIPP, CIPT, CIPM, Member of the (ISC)² Advisory Council of North America Privacy Working Group
If you have spent any amount of time online recently, then it is extremely likely that you have already heard about the General Data Protection Regulation (the "GDPR"), the European regulation which came into effect on May 25, 2018 and which governs data protection or individuals which have their personal data processed or stored by an organization within the European Economic Area (EEA). Meanwhile, information management professionals are likely to remain very busy in the coming months with the upcoming California Consumer Privacy Act of 2018 (the "CCPA") which can be considered as the most far-reaching data privacy law in the United States so far.
The CCPA is California's new privacy legislation that gives greater privacy rights to Californian residents and creates new obligations on relevant businesses. It shares a number of similarities with GDPR, while maintaining a number of differences with GDPR. There are some overlaps between the two laws and, indeed, the GDPR appears to have been the inspiration behind the CCPA. A large amount of work performed in connection with GDPR preparation provides effective foundations for CCPA compliance, although organizations should also bear in mind the distinctions between both legislations.
The CCPA was passed by the California State Legislature and signed into law by Governor Jerry Brown on June 28, 2018. It enters into effect on January 1, 2020, with enforcement to begin six months after the adoption of the California's Attorney General's regulations, or July 1, 2020, whichever is sooner.
Who does the CCPA apply to?
The CCPA applies to a consumer which can be broadly interpreted to mean any Californian resident. A resident includes any individual who is in the state of California for other than a temporary or transitory purpose, and every individual who is domiciled in the state of California who is outside the state for a temporary or transitory purpose. Given this broad definition, it would seem that a consumer could also potentially include employees, students and other individuals who would be classified as California "residents".
The CCPA applies to any "business" that collects personal information about consumers and does business in the State of California and either:
- Earns annual gross revenues in excess of $25,000,000;
- Annually buys, receives for the business' commercial purposes, sells or shares for commercial purposes, the personal information of 50,000 or more consumers, households, or devices; or
- Derives 50% or more of its annual revenue from selling consumers' personal information.
Nonprofit businesses, as well as companies that do not meet any of the three above thresholds, are not required to comply with the CCPA.
In practical terms, this means that any company that does business with Californian residents will have to consider the CCPA (or at least determine if they meet one of the above thresholds), even if they operate outside of California and do not have any premises or equipment in California.
What information is covered under the CCPA?
The CCPA applies to personal information which is defined widely as any information that relates to a particular consumer or household. This definition means data which relates to a household such as energy or water consumption could be considered personal information for the purposes of the law. For organizations who have already worked on GDPR compliance, there is no significant difference with the EU's concept of "personal data" under the GDPR since data that can be linked to a household is also likely to be indirectly linked to a natural person and therefore constitute "personal data" under the GDPR.
The CCPA provides a comprehensive list of examples of what constitutes personal information, which is helpful for organizations. Examples expressly cited include:
- Identifiers, such as a real name, alias, postal address, unique personal identifier, online identifier Internet Protocol address, email address, account name, social security number, driver’s license number, passport number, or other similar identifiers, as long as such identifiers can be connected with an individual or household.;
- Biometric information, which includes any physiological, biological or behavioral characteristics, such as an individual's DNA, imagery of the iris, retina, fingerprint, face, hand, palm, vein patterns, and voice recordings, a faceprint, a voiceprint, keystroke patterns or rhythms, and sleep, health, or exercise data that contain identifying information;
- Internet or other electronic network activity information, including, but not limited to, browsing history, search history, and information regarding a consumer’s interaction with an Internet Web site, application, or advertisement;
- Geolocation data;
- Audio, electronic, visual, thermal, olfactory, or similar information;
- Inferences drawn from any of the information to create a profile about a consumer: including their preferences, characteristics, psychological trends, preferences, predispositions, behaviour, attitudes, intelligence, abilities, and aptitudes.
Certain data is however excluded from the CCPA, such as personal information made available in federal, state or local government records (which are called "publicly available data"), de-identified or aggregated data as well as information covered by other applicable laws and regulations, such as HIPAA (covering medical and patient health information), the Gramm-Leach-Bliley Act (covering information maintained by financial institutions), the Driver’s Privacy Protection Act (covering motor vehicle and driver’s license information), and the California Financial Information Privacy Act, just to name a few.
What are the potential penalties under the CCPA?
The CCPA allows for fines up to $2,500 per violation (or $7,500 if the violation is deemed intentional, but violations lacking 'intent' will remain subject to the $2,500 maximum fine) but does not place a limit on the total amount of the fine which may be imposed (contrary to GDPR). There is therefore the potential for extremely high penalties, with fines being able to be multiplied by the number of impacted individuals. The current version of the law also provides businesses with a 30-day period to cure their alleged violations after being notified of such violation.
However, in the event of a data breach, the CCPA provides that a consumer may, in such case, bring a civil action to recover damages. The amount of damages which may be imposed is between $100 to $750 per consumer and per incident, or the actual damages suffered by the consumer, whichever is greater. In addition to such financial penalties, the consumer may request an injunctive or declaratory relief.
How granular should my organization's data management be?
CCPA places great emphasis on the documentation that businesses must keep to demonstrate their accountability. In other words, compliance will require organisations to review their current approach to governance and analyse how they actually manage data protection as a corporate issue. In particular, the CCPA requires covered organisations to ensure that effective systems and processes are in place to give effect to the following rights:
- The right to be informed
- The right of access
- The right to deletion
- The right to data portability
- The right to opt-out of the sale of the information
Organizations will need, for example, to have a policy in place to determine when certain data is no longer necessary to retain; for how individuals will be able to withdraw their consent; and to deal with user requests when they object to the processing of their data. The good news is that businesses will be able to leverage the privacy notices they have already put in place for GDPR, however they will also have to consider certain CCPA specificities.
For example, both legislations include a right of access giving individuals the possibility to obtain similar information that the organization has on them, however the time frame is not exactly the same (within a month under the GDPR and within 45 days under the CCPA) and the GDPR allows the individual to access more information (e.g. in relation to automated decision-making). In addition, the CCPA only requires disclosure regarding personal information covering the 12 month period from the date of receipt of the request, whereas the GDPR does not have any time limitation (the information to be provided to the consumer under the GDPR could therefore span a period of multiple years, e.g. from the date the consumer started the relationship with the business). Like the GDPR, the right to deletion under the CCPA is not unlimited and the organization may refuse a deletion request on certain grounds, for example if the information is needed to complete the transaction for which it was collected or is needed to provide goods or services requested by the consumer; or if the information is used to detect security incidents and protect against malicious, deceptive, fraudulent, or illegal activity; or is required to comply with a legal obligation or applicable laws.
In addition, both the GDPR and the CCPA require organizations to disclose if personal data would be sold, however the CCPA goes one step further by requiring businesses to provide a clear and conspicuous link on the business’s Internet homepage titled “Do Not Sell My Personal Information” to facilitate the opt-out by consumers of the sale of personal information. In addition, the CCPA requires the creation of three different lists of categories of personal information that the business has over the preceding 12 months, a) collected, b) sold, or c) disclosed for business purposes (or the fact that it has not done so). The level of detail expected for such lists is still unclear at this stage.
In addition, minors under the age 16 have an opt-in right: a business may not sell the personal information of consumers if the business has actual knowledge that the consumer is less than 16 years of age, unless the consumer, in the case of consumers between 13 and 16 years of age (or the consumer’s parent or guardian, in the case of consumers who are less than 13 years of age), has opted in to authorize the sale of personal information.
Last but not least, the data portability right under both the GDPR and the CCPA allows consumers to request a copy of their personal information "in a readily useable format that allows the consumer to transmit this information from one entity to another", however the CCPA does not go as far as the GDPR which allows consumers to request the organization to directly send the personal information to another organization.
The above are only some of the differences between GDPR and the CCPA, and have been listed to illustrate how important it is for organizations to carefully consider the different requirements under both GDPR and CCPA.
Can organizations charge fees?
A business cannot discriminate against a consumer who exercises his or her rights under the CCPA. In other words, the CCPA prevents a business from charging a consumer a fee because he or she exercised a right under the CCPA (such as requesting their information to be deleted or opting out from the sale of personal information).
The CCPA contains a non-exhaustive list of discriminatory practices, which includes:
- denying goods or services to the consumer,
- charging different prices or rates for goods or services (including through the use of discounts, other benefits or penalties),
- providing a different level or quality of goods or services to the consumer if the consumer exercises his rights,
- simply suggesting that the consumer will receive a different price or rate or a different level or quality.
However, the CCPA does allow a business to charge a different price or provide a different level of service to customers if “that difference is reasonably related to the value provided to the consumer by the consumer’s data.” Accordingly, a business may offer financial incentives, such as the payment of a compensation for the collection of personal information, or offer a different price, rate, level, or quality of goods or services if that price or difference is directly related to the value provided to the consumer by the consumer’s data.
What security measures are required under the CCPA?
The CCPA provides that any consumer whose non-encrypted or non-redacted personal information is "subject to an unauthorized access and exfiltration, theft, or disclosure as a result of the business’ violation of the duty to implement and maintain reasonable security procedures" may file a civil action and recover between $100 to $750 in statutory damages per incident, or actual damages. At this stage, a consumers’ right to litigate only applies to data breaches, not to violations under any other section.
What lies ahead?
Even though the CCPA was signed into law on June 28, 2018 and is set to enter into effect on January 1, 2020, amendment bills are still continuing to make their way through the California Legislature. In addition, California's' Attorney General is also expected to issue regulations over the coming months. As a result, it is possible that some of the information described above may change before the law enters into effect or is enforced.
While the CCPA is not yet applicable, its enforcement date is rapidly approaching and it is necessary to use the remaining time left to prepare for the new requirements. The scope of the requirements is broad: the CCPA forces a company-wide strategy and review of processes for managing personal data on every level, and it includes various types of online data in its definition of personal. New rights and obligations must be accounted for and every organization will have to work out its own approach to reflect the context and practices of the business. At the very least, a business should be mapping the personal information that it collects and locations where personal information is stored. In this regard, the CCPA is not the only new or updated privacy law to be enacted in the United States: other states, such as Nevada and Utah, have recently updated their privacy laws, and it is expected that more states will follow.